(SEPSDK-2962) |
|||
| Line 1: | Line 1: | ||
= Configuring TLS = | = Configuring TLS = | ||
| + | |||
| + | The TLS support in SIP Endpoint SDK and Genesys Softphone on macOS is based on the Genesys Security Pack implementation, which relies on the OpenSSL library, a de-facto industry standard implementation on UNIX platforms. Currently, the macOS Keychain system is not supported. Instead, users should provide the client-side certificate and trusted CA list as files, using one of the file formats supported by the OpenSSL project. | ||
| + | |||
| + | To secure the connection to the SIP Server, users should set the '''protocol''' parameter to <tt>TLS</tt> in the corresponding Connectivity element of the '''Basic''' container in the SIP Endpoint SDK configuration file, whether the connection is direct or via SIP Proxy or SBC. | ||
| + | |||
| + | <Connectivity user="{dn}" server="{server:port}" protocol="TLS"/> | ||
| + | |||
| + | For Mutual TLS, you should also specify the '''certificate''' and '''certificate-key''' options, which refer to the public and private parts of the client-side certificate. | ||
| + | |||
| + | If these options are left empty, outgoing TLS connections will be used, but incoming TLS connections will not be possible. However, most deployments do not encounter this problem because Genesys SIP Server, SIP Proxy, and supported SBCs reuse the client-originated TLS connection by default without opening another TLS connection for delivering incoming SIP messages. In either case, the '''trusted-ca''' option is mandatory and should include the public key of the Certificate Authority (CA) used to sign the server-side certificate. | ||
| + | |||
| + | {{NoteFormat| | ||
| + | The TLS configuration settings for securing the SIP connection can be found in the '''system.security''' section. | ||
| + | }} | ||
[[Category:V:SESDK:9.0.0OSXDRAFT]] | [[Category:V:SESDK:9.0.0OSXDRAFT]] | ||
Revision as of 07:21, February 14, 2023
Configuring TLS
The TLS support in SIP Endpoint SDK and Genesys Softphone on macOS is based on the Genesys Security Pack implementation, which relies on the OpenSSL library, a de-facto industry standard implementation on UNIX platforms. Currently, the macOS Keychain system is not supported. Instead, users should provide the client-side certificate and trusted CA list as files, using one of the file formats supported by the OpenSSL project.
To secure the connection to the SIP Server, users should set the protocol parameter to TLS in the corresponding Connectivity element of the Basic container in the SIP Endpoint SDK configuration file, whether the connection is direct or via SIP Proxy or SBC.
<Connectivity user="{dn}" server="{server:port}" protocol="TLS"/>
For Mutual TLS, you should also specify the certificate and certificate-key options, which refer to the public and private parts of the client-side certificate.
If these options are left empty, outgoing TLS connections will be used, but incoming TLS connections will not be possible. However, most deployments do not encounter this problem because Genesys SIP Server, SIP Proxy, and supported SBCs reuse the client-originated TLS connection by default without opening another TLS connection for delivering incoming SIP messages. In either case, the trusted-ca option is mandatory and should include the public key of the Certificate Authority (CA) used to sign the server-side certificate.
The TLS configuration settings for securing the SIP connection can be found in the system.security section.